johnnyfive has quit [Ping timeout: 244 seconds]
primeos has quit [Ping timeout: 244 seconds]
primeos has joined #nixos-security
johnnyfive has joined #nixos-security
tilpner has quit [Quit: :wq]
tilpner has joined #nixos-security
<andi-> Ill try to look at the systemd issues tonight or during the flight.. Probably won't be done before tomorrow morning due to time wasted to go from A to B.
periklis has joined #nixos-security
pie_ has quit [Ping timeout: 252 seconds]
periklis has quit [Ping timeout: 276 seconds]
pie_ has joined #nixos-security
copumpkin has joined #nixos-security
periklis has joined #nixos-security
erictapen has joined #nixos-security
<erictapen> hello everyone, is it possible, that CVE-2018-14665 in xorg was not addressed yet in nixpkgs? if yes, what would be a good way to help? context: https://lists.x.org/archives/xorg-announce/2018-October/002927.html
<ekleog> erictapen: It hasn't been addressed because, as far as we are aware, nixpkgs isn't affected by this vulnerability (Xorg isn't setuid in nixpkgs). Now, if you want to help, you can submit a PR adding the proper patch to https://github.com/NixOS/nixpkgs/ , and it will likely be accepted :)
<ekleog> and if you want to help on other security vulnerabilities, there is a good list of ones that haven't been handled yet at https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=vulnerability+roundup+is%3Aopen , also :)
<erictapen> ekleog: ah, that setuid distinction is something I didn't understood, so I oversaw it. Will try to come up with a PR then!
<periklis> how do we handle actually the case that not two contributors do the same research behind a cve from a roundup ticket? is there a procedure?
<andi-> Note it in the issue? :)
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-security
erictapen has quit [Ping timeout: 240 seconds]
<periklis> andi-: that's an option, but we ping people (cc...)
erictapen has joined #nixos-security
<periklis> andi-: are the CVEs accross issues de-duplicated?
<erictapen> regarding the xorg issue: I found out, that their patch doesn't apply as smooth as I thought and also I don't really get the xorg expressions in nixpkgs. So I don't see really land here, thought it would be a fast PR
<andi-> erictapen: can you link the patch? Still not at home
<andi-> How should be simple to adjust to our version. How's it failing?
<erictapen> andi: the patch fails to apply, but first of all I'm unsure about in which versions of xorgserver to apply the patch and where not
<andi-> It probably needs some massaging. I can try to give you a hand at that later (~3h) or tomorrow
<erictapen> andi: nice. I don't see myself doing it before next weekend
<andi-> Ok
<periklis> do we still backport patches for 18.03? where can i see the policy?
<LnL> we usually keep the old release up to date for about a month after the new one is out
<LnL> but some people backport longer, it's not like that's not allowed :)
erictapen has quit [Quit: leaving]
erictapen has joined #nixos-security
<periklis> ah good to know, are these practices somewhere documented?
<LnL> not sure, this is the only think I know about https://nixos.org/nixos/manual/index.html#release-process
<LnL> but that's more about the new release itself
erictapen has quit [Ping timeout: 244 seconds]
<periklis> i did some research on No.47 for 18.09. If someone can give some feedback before starting PRs as a newbie i would glad
erictapen has joined #nixos-security
periklis has quit [Ping timeout: 250 seconds]